European Parliament abandons plan to extend data breach notification law

The European Parliament has dropped its insistence that a new requirement for telecoms firms to tell customers when their personal data is in danger be extended to online banking, email or other service providers.

The European Union's legislative bodies have been locked in disagreement about how far a planned data security breach notification law should go. The Commission and the Council of Ministers wanted it to apply only to telecoms companies. The Parliament wanted it to extend to the providers of online services.

The Parliament has now dropped that demand in a compromise text. It said that there was a general interest in wider notification breaches, but reduced its demands to a request that the Commission look into widening the scope of the proposed law in the future.

It said that it wanted the breach notification to apply to all online service providers by 2011 in a text that will now provide the basis for negotiation with the European Council, which opposes the extension.

"This general interest for users to be notified is clearly not limited to the electronic communications sector and therefore explicit, mandatory notification requirements applicable to all sectors should be introduced at the Community level as a matter of priority," it said. "Pending a review to be carried out by the Commission of all relevant Community legislation in that regard, the Commission, in consultation with the European Data Protection Supervisor, should take appropriate steps without delay to encourage the application of the principles embodied in the data breach notification rules in [the Directive On Privacy And Electronic Communications] throughout the Community, regardless of sector or type of the data concerned."

The text only contains a binding requirement for notification for providers of 'publicly available electronic communications service providers', meaning internet service providers and other telecoms firms.

Privacy regulators have said that the security breach notification should be extended beyond just telecoms firms. EU privacy advisor the European Data Protection Supervisor (EDPS) and the 27 national data protection watchdogs operating as the Article 29 Working Party have both published opinions outlining why online banks and other service providers should also be bound by the proposed rule.

"An extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services," said the Article 29 Working Party earlier this year.

"Online transactions including access to e-banking services, private sector medical records and online shopping are few examples of services that may be subject to personal data breaches causing significant risks to a large number of European citizens," it said. "Limiting the scope of these obligations to publicly available electronic communications services would only affect a very limited number of stakeholders and thus would significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm."

The new text was supported by MEPs last week but must be renegotiated over concerns about disconnection of internet users over file-sharing concerns. The text says that telecoms firms must tell national regulators "as soon as" they become aware of a personal data breach. It says that users themselves must be informed "without delay" if their privacy would be "adversely affected" by the breach.

"A breach should be considered as adversely affecting the subscriber's or individual's data and privacy where it entails … identity theft or fraud, physical harm, significant humiliation or damage to reputation in connection with the provision of publicly available communications services in the Community," says the text. "The notification should include information about measures taken by the provider to address the breach, as well as recommendations for the subscriber or individual concerned."

The telecoms reform package can only be accepted or rejected as a whole, and the Parliament last week rejected the reform because protections for internet users from internet disconnection were too weak. The package must again be the subject of negotiation between the three wings of EU government.